DPM tagged posts

Planning for protection as a part of an IT Service Continuity plan often takes into consideration backup of applications and data as well as restore. But what about security?

When planning for protection of applications and data in your environment security should right up there in the forefront. “Backup Security” should be a key part of the plan.

Security in the context of backup can be thought of #1 as securing the backups, and #2 backups being used as an added measure for security breach mitigation. Let me break this down further.

In regards to securing backups you want to do things like encrypt backup data as it travels offsite, encrypting backup data at rest, being able to protect encrypted data, requiring security pins or further authentication of admins and more.

In regards to backup as an added measure for security backup becomes a direct part of Security planning in organizations. Sometimes when security measures fail backups are the only thing that can save you as a last resort. Backups are commonly becoming a way to recover from ransomware attacks as an alternative to paying the hackers. Here is a real world example.

Recently an unnamed hosting providers entire data center became hostage to a ransomware attack. This hacker got in due to a mistake of one of the system admins (more on how to protect at this level later) and basically had full domain admin rights to everything. Keep in mind majority of the servers in this scenario are for customers.

In this case the hosting provider had two choices. Option #1 go to the dark web via a tor network and pay a ton of money in bitcoin for the decryption key. Option #2 Restore everything from offsite backups and pray.

This hosting provider went for option #2 and thank goodness it worked. In this case if it weren’t for a solid offsite backup solution this hosting provider would have been up a creek without a paddle.

It is becoming more common that ransomeware will actually target backups because these are a high target and hackers understand this is a last resort for companies to save themselves. If the backups are deleted there is no other choice but to pay the ransom. This raises the security level of the backups. Administrative actions on backups need an extra layer of security.

Microsoft Business Continuity products help with not only protection but also security. These products consist of System Centers Data Protection Manager (DPM) and Operations Management Suites Azure Backup (AB) and Azure Site Recovery (ASR). In this post I am only going to touch on DPM and AB.

Some exciting things have been happening with Azure Backup and Data Protection Manager to ensure security is front and center as a part of your enterprise backup solution. Microsoft’s goal with the backup security is to provide prevention, alerting, and recovery.

Just yesterday DPM update rollup 12 for 2012 and update rollup 2 for 2016 was announced. Along with UR2 comes some enhanced security features for DPM. These will be called out later in this blog post. Microsoft has rolled out some great security features to both across hybrid clouds. I will go ahead and break these down.

– Azure Backup –

Encrypted backup data at rest
Described in DPM section.

Security PIN
With Azure Backup you can require a security pin for sensitive operations such as removing protection, deleting data, or changing other settings in Azure Backup itself such as changing a Passphrase.

Azure Backup also has some other security measures in place like a minimum retention range to ensure a certain amount of backup data is always available and notifications upon critical operations to subscription admins or others as specified.

NOTE: These security features are now also available in DPM with the UR’s (UR 12 for 2012 and UR2 for 2016) announced yesterday. When an administrator changes the passphrase, or delete backup data, you need to enter the PIN if you have Enhanced Security Enabled. Also, there is a minimum retention range of 14 days for cloud protected data that is deleted.

MFA
MFA is Multi-Factor Authentication. Microsoft has MFA available as a part of Azure Active Directory. Within Azure Backup you can configure it to require MFA of admins when performing critical operations. By enabling MFA you would then ensure via authentication from a second device usually physical to the user that they are who they say they are.

NOTE: When you enable security settings they cannot be disabled.

Ransomware attacks
Described in DPM section.

– Data Protection Manager –

Backup data encrypted during offsite transfer
When data is sent from DPM to Azure Backup it is encrypted before it even leaves your four walls. Data is encrypted on the on-premises server/client/SCDPM machine using AES256 and the data is sent over a secure HTTPS link.

Encrypted backup data at rest
Once backup data is on Azure it is encrypted at rest. Microsoft does not decrypt the backup data at any point. The customer is the only one with the encryption key that can decrypt the backup data. If this key is lost not even Microsoft can decrypt your backup data. This is very secure.

Protection and recovery of encrypted computers
The release of Hyper-V on Windows Server 2016 included a new feature known as Shielded virtual machines (VM’s). This feature essentially utilizes Virtual Trusted Platform Module (vTPM) technology and BitLocker to encrypt a VM to encrypt virtual machines at the virtual layer. This means if a VM is physically copied off a Hyper-V host whoever has the VM will not be able to get to the data on the virtual hard drive.

With the release of DPM 2016 it supports protecting Shielded VM’s. DPM can protect Shielded VM’s regardless if they are VHD or VHDX. This is great news because as a secure organization you should want to encrypt your virtual machines and DPM can protect them. This gives you an added layer of security on top of having backups.

Ransomware attacks
In today’s world ransomware attacks are a common thing. These type of attacks are targeted at small, medium, and large enterprise businesses. No company is too small or too big to be put in the crosshairs of ransomware attacks. A well-known attack is Cryptolocker.

As mentioned before in this blog post backups are an alternative to paying the ransom of a ransomware attack. They key here is to ensure you have a solid offsite backup in place such as Azure Backup. Having that offsite backup will ensure you can get your data back even if the ransomware attack get ahold of your onsite backup data.

I even go as far as to recommend sticking to the 3-2-1 rule (3 copies of backup data 2 offsite and 1 onsite). This way if something happens to one of your offsite copies of data you have another one. It may seem overkill to have 2 offsite copies but you would be surprised how often offsite backup data is accidently destroyed.

So there you have it. Security is a critical part of any backup solution. It is clear that Microsoft realizes this based on the security enhancements they have made to both Azure Backup and Data Protection Manager 2016. Their goal is to ensure both backup solutions are enterprise ready. I have been working with DPM for years and Azure Backup as soon as it came out. I know the team behind these products have a lot of new features and functionality planned for the future of these products and I am looking forward to it.

It’s almost time for MMS 2016. By the end of Friday 4-22-16 MMS registration will be closed as the event has sold out! This year I have the opportunity to present twice and help facilitate one of the pre-con sessions. Here is a breakdown of my sessions.

Session #1: My first session is on Azure Stack the new Hybrid solution from Microsoft! This session will include me and Daniel Savage an Azure Stack program manager from Microsoft! You never know what new never heard before stuff you might learn about in this session. I recommend you sign up. Here is the title, description, and link for this session:

TITLE:– Future-proof your Career with Azure Stack in the New Hybrid Cloud World! –

DESCRIPTION: “Write once, deploy anywhere”, “extension of Azure”, “cloud agility”, “Cloud in your data center” What do all these buzz words mean to you and your career? How does Azure Stack Microsoft’s Hybrid solution apply to you as an IT Pro? Does Hybrid Cloud really have a place in the enterprise?

Come to this session and let Azure Stack Program Manager Daniel Savage and MVP Steve Buchanan unpack it for you.

Session #2: In my second session I will be presenting with my good friend and fellow MVP Robert Hedblom. He is making the trip all the way across the pond from Sweden for this event. Our goal for this session is to save jobs! hahaha…. You don’t want to miss this session as we take you through the steps of designing your backup and restore strategies. Here is the title, description, and link.

TITLE:– Be a Hero or be Fired. Backup and Restore Strategy –

DESCRIPTION: Did you skip planning the backup strategy? If a disaster occurred could you restore or would you get fired?

Come see System Center MVP’s Steve Buchanan and Robert Hedblom walk you through building a bullet proof backup and restore strategy of your business services. These strategies can be used with Microsoft business continuity tools. Learn how to be a restore hero in the event of a disaster and keep your JOB!

Session #3: The third session is actually a 4 hour pre-con session about Operations Management Suite (OMS). This is a session you don’t want to miss. This session will be jam packed with MVP and Microsoft rock-stars! It will be jam packed with deep knowledge and again you never know what new never heard before stuff you might learn about in here. In this session you will have direct access to the Microsoft product team that is behind OMS. I am honored to be a part of this session. I have the opportunity to help facilitate it. Here is the title, description, speaker bio’s and link for this session.

TITLE:– OMS from “What is this?” to “Wow, it can do that?!” –

DESCRIPTION: This is a pre-con session where emcee’s Steve Buchanan and Cameron Fuller will facilitate a four hour session designed to explain what OMS is and what it can do for your organization.

In the first hour Bob Cornelissen (SCOMBob) and Cameron Fuller will provide an introduction to what OMS is and what benefits it can provide your organization.

In the second 1.5 hour session, join the Microsoft product team members as they dig in deep on IT automation within OMS.

In the final 1.5 hour session, join the Microsoft product team members as they dig in deep on Log Analytics & Security / Compliance.

Want to have DPM without having to buy System Center? Now you can. It is called Microsoft Azure Backup Server (MABS). Well MABS is not really a full DPM but a scaled back DPM. Microsoft released Microsoft Azure Backup Server on October 7th, 2015. In this post I am going to break down what Microsoft Azure Backup Server is.

Microsoft Azure Backup Server’s goal is to solve some problems that have existed with Azure backup for a while. These problems are:

-No centralization of protected servers with Azure Backup. Historically if you did not have DPM and you only had Azure Backup but needed to protect on premises server you would install the Microsoft Azure Recovery Services Agent (MARS) agent on your on premises servers. They would then be protected up to Azure.

-Without DPM Azure Backup can only backup files and folders. To protect workloads like SQL, Exchange up to Azure you needed to protect with DPM first and then send the data up to Azure.

-Purchasing a System Center license is not economical for some organizations.

Microsoft Azure Backup Server solves these issues because it is an on premises backup server. Under the hood it is a scaled back DPM so it gives you similar functionality. It lets you protect the same workloads as DPM to disk on premises first and then up to Azure or you can backup directly to Azure. Essentially it gives you two types of protection:

– Disk (D2D), giving high RTOs for tier 1 workloads

– Azure (D2D2C) for long term retention

Tape protection with Microsoft Azure Backup Server is not possible. This is not included in the product.

MABS also gives you a centralized location on premises to backup your on prem servers to, manage the backup agent of your on prem servers and see the status of their protection. MABS does this without the cost of a System Center license. It can be used when you subscribe to Azure Backup. MABS will require you to provide backup vault credentials during the setup.

Then click on the “Download Microsoft Azure Backup Server for Applications” link as shown in the following screenshot.

Microsoft Azure Backup Server is great for organizations that need a backup solution without the cost of the entire System Center suite. Keep in mind this does not provide tape backup. However backup up to Azure for offsite is a cost effective solution and also now gives you on premises backup to disk as well.

Background for this post

Since version 2006 DPM has been able to protect SQL databases. Often in environments that are using DPM I still see they are using DPM for backup of all workloads but not using it for SQL backups. There are reasons for this such as a lack of understand of how DPM protects SQL or lack of trust in DPM to protect SQL. The goal of this blog post is to lay out why you would want to use DPM to backup SQL, what SQL versions and functionality (such as AlwaysOn) are supported, what happens under the hood when DPM protects SQL and that you can use DPM as your sole solution for protecting SQL. This is an effort to convince those that don’t use DPM for SQL Backups today to start using it or those that don’t trust DPM for SQL backups that it is a great option to consider. This blog post is targeted directly at DBA’s or DPM admins that need to give information about SQL protection to their DBA’s.

One major challenge I had when I set out to write this blog post is that I am not a DBA or a SQL expert. So I don’t have any SQL “street cred” so I needed to fully understand what a SQL DBA would require to ok DPM being the sole backup solution for SQL in an organization.

I have the fortunate opportunity to work with an awesome SQL MVP named Jes Borland at Concurrency. As a part of my research for this blog post I reached out to Jes Borland to have a discussion around SQL protection. One of the important questions I asked her was “What things do you look for in a SQL backup solution?“. Her response was “What I look for in a backup tool: the ability to do all types of SQL Server backups – full, differential, log, copy-only. Ability to take advantage of built-in backup compression.” as well as “As a DBA, my main question is, “How do I restore?“. This was perfect as they are key things I should look out for to make sure DPM can do.

Now that we covered the background let’s look at what DPM can do when it comes to SQL protection.

Why would you want to use DPM to backup SQL?

DPM understands SQL and was designed to protect the advanced configurations of SQL.

DPM can protect SQL at the instance level or the database level. When protection at the instance level is turned on DPM will detect new databases on that instance and automatically add them to protection.

DPM is an affordable option for protecting SQL. It is a good fit for small SQL shops and can scale for large enterprise SQL shops.

DPM has self-service recovery of SQL databases using the Self-Service Recovery Tool (SSRT) that can be extended to DBA’s.

What SQL versions and functionality does DPM support?

Versions:

2005

2008

2008 R2

2012

2014

Functionality:

SQL Clustering

When protecting a SQL cluster DPM is cluster aware. DPM is aware of the clusters identity as well as the nodes in the cluster. In a SQL clustering scenario if the SQL Server is changed to a different node, DPM will continue to protect the clustered SQL without any intervention from backup administrators.

SQL Mirroring

If the SQL you are protecting is mirrored DPM is aware of the mirrored databases and will protect the shared data set properly.

SQL Log shipping

In scenarios when SQL log shipping is being used DPM will automatically discover that log shipping is being used and DPM will auto-configure itself to co-exist ensuring proper SQL protection.

SQL AlwaysOn

When protecting SQL AlwaysON DPM will automatically detect Availability Groups and detects when a failover occurs and will continue protection of the database.

What happens under the hood with SQL protection in DPM?

Protection:

When SQL protection is first setup an express full copy of the database is created and this is the initial backup of the database. Express full backups bring over block level changes of the databases themselves. This would be the entire database on the very first backup.

Express full backups leverage a filter technology. This filter technology is what identifies changed blocks instead of needing to read all of the data or use checksums. This filter technology is known as volume shadow services (VSS). Specifically the SQL Server VSS Writer is used during SQL protection. This does two things: DPM backup of SQL will not impact databases and it will only backup changed blocks after the initial backup of the database reducing the storage footprint. Backing up the block level changes also has a significantly lower impact of the protected server during backup.

After the initial backup of the SQL database DPM will perform subsequent express full backups and synchronizations between the express full backups. Synchronizations copy over SQL Transaction logs. A recovery is possible from both an express full and synchronization backups.

DPM can be set to protect SQL databases as often as every 15 minutes so that you can have frequent protection of SQL throughout a day. As a part of the DPM SQL protection recovery points are created for each incremental synchronization and express full backup. DPM can maintain up to 512 shadow copies of a full SQL Server database(s) by storing only the differences at the block level. In a scenario where you have one express full backup per week, stored as one of 512 shadow copy differentials between one week and the next, plus 7 days x 24 hours x 4 (every fifteen minutes), DPM would have over 344,000 recovery points (what you restore from) of SQL.

The following screenshot is an example of SQL protection in DPM. The top half in red shows an example of auto protection of SQL at the instance level while the lower half in blue is an example of individual database protection.

Truncating SQL logs:

DPM does truncate the SQL transaction logs as a part of the backup process. DPM truncates the logs (creates empty space inside the transaction log) after each synchronization.

Note that if the synchronization is set to a long window of time such as 12 hours the transaction log could grow to large for truncating and will need to be shrunk. So general rule is to keep the synchronization’s closer together.

To shrink the SQL transaction logs this needs to be done manually or using a SQL Maintenance job. This could always be done using a Pre-Backup/Post-Backup script.

Now if “Just before a recovery point” is selected in the protection group then the synchronization (incremental backup) will not be scheduled to run. Configuring this way tells DPM that only express full backups should run. Transaction logs will not be truncated by DPM in this scenario.

Recovery:

A good friend of mine System Center MVP Robert Hedblom always says “backup is about the restore”. I subscribe to the same principle in that “restore should always be the focus of any backup solution”. In a disaster recovery situation DPM can be used to restore from a loss of the database down to within 15 minutes of the failure. DPM can recover the database to original instance, a separate instance to a folder, or even copy to a tape. You can see those options reflected in the following screenshot:

When recovering to original SQL instance or a alternate SQL instance you can specify what state you want to leave the database in. Restoring the database in a non-operational state will allow you the ability to restore transaction logs in addition to the database restore.

You also have the option to specify where you want to place the database files (.MDF) and log files (.LDF) during the restore.

The DPM Self-Service Recovery Tool (SSRT) can be deployed on the client computers of the DBA/s. When recovering a database using the SSRT the experience is much like it is when recovering directly from DPM. When the New Recovery Job button is clicked a Recovery Wizard window will open with the same options as recovering directly from DPM. A screenshot of the SSRT shown below displays the UI with a restore job that has completed.

Details of a recovery job in the SSRT are shown in the following screenshot.

Hopefully this article has shed some light on SQL protection with DPM and will help you consider using DPM to protect your SQL instances/databases. For further information on SQL protection with DPM visit the following links on TechNet:

I am very excited about something new with Data Protection Manager (DPM) that I was able to announce during my Enterprise Backup session @ Microsoft Ignite (http://meme.ms/d5gpbrq). It is DPM Backup As A Service (BaaS). I wanted to blog about it with even more information about this new functionality in DPM.

Well what is DPM BaaS? In a nutshell it is Backup as a Service in Azure Pack powered by Data Protection Manager. This is a new resource provider built by the DPM team. It lights up the functionality for tenants to protect VM’s in Azure Pack. Here is a screenshot of what the new BaaS in Azure Pack looks like for a tenant:

DPM has always had a role in the Microsoft Private Cloud story. This role has been on the backend through backing up the Private Cloud fabric components that power Private Cloud (Windows Server, Hyper-V, System Center). The following image is the framework of Microsoft Private Cloud:

DPM has also been used for protection of front end tenant workloads such as websites, SQL databases and virtual machines. However protecting tenant workloads had no visibility or control by the tenants themselves. This story changes with the introduction of BaaS for Azure Pack giving the control for tenants to choose if they want to protect their virtual machines from their cloud!

NOTE:As of now BaaS for Azure Pack can only protect virtual machines in tenant clouds. If you would like to see BaaS extended to protect other areas of the Private Cloud such as SQL databases or websites feel free to reach out to me.

Now let’s pick apart this new DPM BaaS to gain a better understanding of it in the rest of this post.

DPM BaaS in Azure Pack Architecture

So what do you need for this new BaaS? The following components make up BaaS:

You can deploy many DPM servers for scale as your Private Cloud grows. The rest of the components are standard with a Private Cloud so if you already have Azure Pack running you simply need to add DPM and the DPM BaaS Resource Provider.

As previously stated BaaS only protects virtual machines. A DPM agent needs to be installed to Hyper-V hosts. The BaaS in Azure Pack does not do this for you. The DPM agent will not be required inside VM’s. The agent will be installed on Hyper-V hosts only.

Admin Perspective

Now let’s take a look at what can and admin do with BaaS. NOTE: The BaaS is still under development so some of these features may change. If you have any feedback about the features and functionality you would like to see feel free to contact me. Let’s explore the BaaS admin perspective through a series of screenshots.

Here is a shot of the VM Backup within the Azure Pack admin site. Here is where you would register the resource provider with SPF, you could also add a DPM server, or create a server group. Note that you still need to deploy your DPM servers before you can add them to BaaS. BaaS will not deploy the DPM servers for you.

A server group allows you to logically group DPM servers and then add DPM servers to the group and you can set settings based on a group and then add this to a plan for a tenant. An admin of the Resource Provider will set the Protection Group policy settings that will be used for all subscriptions to a particular plan.

The next two screenshots show creating a new group.

This screenshot shows the registration of a DPM server. Notice you have the ability to add the DPM server to a group. Adding the DPM server to a group is optional.

The next three screenshots give you an idea of what settings you can set for a group. These settings will help you apply limits to the tenant that will be assigned this group via a plan. Notice that some of the settings will look familiar to what you see in DPM when setting up a Protection Group.

This final screenshot is of the Usage & Metering within for the Resource Provider. The cool thing about this is we do not have a dashboard like this in DPM. This monitoring can be scoped per VM or All Up of the BaaS Resource Provider. Here is what you can see as the part of this monitoring:

Retention Days

Number of Restore Points

Size used

Tenant Perspective

So we walked through what and administrator can do in the BaaS let’s look at the tenants perspective. Here is what a tenant can do with BaaS?

Ability to add a VM under protection. This essentially adds the VM to a DPM protection group on the backend. If a Protection Group does not exist for this tenant’s subscription yet one will be created.

Ability to back up a protected VM. This creates a Recovery Point in DPM on the backend. An admin of the BaaS resource provider has the option to allow this or not allow this to tenants.

Ability to restore a protected VM. This will restore a VM from a Recovery Point in DPM on the backend. Self-service restore of a deleted VM that is protected is out of scope as DPM doesn’t have VMM information (cloud, etc.) to correctly reassign it to a tenant. However an administrator with direct access to DPM could still go and restore the VM.

Ability to remove a VM’s protection. The protection group for the tenant subscription will be created when the first VM is protected and destroyed when the last VM is removed.

This new reporting for DPM is a part of Operations Manager (SCOM). SCOM can monitor your DPM server/s so it only made sense to build this new reporting framework in SCOM. Data from your DPM server/s is brought over to SCOM through the monitoring and placed in SCOM’s data ware house database. This data is then accessed via a new set of DPM SQL views and served up to the reports.

Following is a breakdown of what you need to get the new reporting framework put in place and configured.

What do you need?

Need SCOM 2012 R2 deployed w/ DW working.

DPM management packs must be imported to SCOM and central console must be deployed.

DPM 2012 R2 and Central console must be on UR5.

Must configure SLA’s on your DPM servers using Set-DPMProtectionGroupSLA CMDLet to get SLA data in reports. More on this later.

The FileServices MP is a pre-req of the DedupReporter MP.

You must be careful about how you install/upgrade the DPM central console and management packs on SCOM as you can run into problems if you do not pay attention. I have had to re-deploy a SCOM server once in a lab to get this to work. Here is the order I follow and have had the best success with:

How to deploy the reporting?

1st:Import RTM 4.2.1126 MP’s in SCOM (You may already have these loaded. They are DPM 2012 R2 RTM MP’s and are named:

NOTE:With the new DPM MP’s there are two additional MP’s that were not part of the DPM RTM MP’s. There is the Microsoft.SystemCenter.DataProtectionManager.2012.Reporting.mp which is required for the new reporting and there is the Microsoft.SystemCenter.DataProtectionManager.DedupReporter.mp that is optional if you want to get reporting around de-duplication on your DPM servers.Here is a screenshot of importing the new DPM MP’s and the File Services MP:

After you import the new DPM MP’s you should have the following management packs loaded in your SCOM:

In SCOM if you navigate to the Reporting workspace you will have System Center 2012 R2 Data Protection Manager Reporting. Here you will find the DPM Executive Summary Report.

The following screenshot is what the DPM Executive Summary Report looks like.

6th (Optional):Configure SLA’s on your DPM server/s using Set-DPMProtectionGroupSLA CMDLet to get SLA data in reports. This has to be done on each DPM server per each protection group that you want to receive SLA reporting on. The steps to do this are:

Launch the DPM Management Shell. Run Get-ProtectionGroup -DPMServerName YOURDPMSERVERNAMEHERE to get a list of Protection Groups.

Run Get-DPMProtectionGroup | where {$_.Name –ieq ‘Exchange Mailbox Databases’} | Set-DPMProtectionGroupSLA –SLAInHours 24 to set the SLA on a protection group.

That is it. Now you have set an SLA for your protection group. The SLA is defined in hours. DPM will check the SLA once a day and an event is written to the DPM backup event in the event log.

That’s all for the setup and configuration. Stay tuned for a post on how to build out custom reporting in the enhanced reporting framework in the near future.

I will be presenting with some good friends Microsoft PFE Islam Gomaa and System Center MVP Robert Hedblom @ Microsoft Ignite next Tuesday, May 5th 05:00PM – 06:15PM.

The session is Enterprise Backup: Custom Reporting, BAAS and Real-World Deployments in Data Protection Manager. Here is what we will cover in the session:

This session covers the recently released enterprise-grade reporting framework in Microsoft System Center Data Protection Manager for IT admins to build custom reports and dashboards for monitoring and managing their entire backup operation. It also will cover offline backup to Azure and will highlight real-world deployment best practices for protecting applications in a hybrid environment using Microsoft Azure Backup.

We also will have announcement about something new with DPM in the Microsoft Private cloud story!

Did you miss my recent webinar with Savision about ‘Service Management’s Role in the Private Cloud’? This was co-hosted by Savision’s co-founder and VP of Product Management, Dennis Rietvink. If you would like to see it or watch it again, the on-demand version is now available.

“Screenshots from the webinar”

During the webinars, we covered the key factors in Private Cloud projects and why Private Clouds fail...